Skip to content

bug: provider can mangle ENVBUILDER_INIT_SCRIPT #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
johnstcn opened this issue Aug 13, 2024 · 1 comment · Fixed by #32
Closed

bug: provider can mangle ENVBUILDER_INIT_SCRIPT #31

johnstcn opened this issue Aug 13, 2024 · 1 comment · Fixed by #32
Assignees
@johnstcn
Labels
bug Something isn't working

Comments

@johnstcn
Copy link
Member

Given:

locals = {
  envbuilder_env = {
    "CODER_AGENT_TOKEN": coder_agent.main.token,
    ...
  }
  # Convert the above map to the format expected by the docker provider.
  docker_env = [
    for k, v in local.envbuilder_env : "${k}=${v}"
  ]
)

...

resource "envbuilder_cached_image" "cached" {
   ...
  extra_env = local.envbuilder_env
}

resource "docker_container" "workspace" {
  ...
  env = var.cache_repo == "" ? local.docker_env : envbuilder_cached_image.cached.0.env
}

You may get:

root@0cb1aac9b261:/# $ENVBUILDER_INIT_SCRIPT
+ '#!/usr/bin/env' 'sh\nset' '-eux\n#' Sleep for a good long while before 'exiting.\n#' This is to allow folks to exec into a failed workspace and poke around 'to\n#' 'troubleshoot.\nwaitonexit()' '{\n\techo' '\"===' Agent script exited with non-zero code '($?).' Sleeping 24h to preserve 'logs...\"\n\tsleep' '86400\n}\ntrap' waitonexit 'EXIT\nBINARY_DIR=\"${BINARY_DIR:-$(mktemp' -d -t 'coder.XXXXXX)}\"\nBINARY_NAME=coder\nBINARY_URL=http://host.docker.internal:7080/bin/coder-linux-amd64\ncd' '\"$BINARY_DIR\"\n#' Attempt to download the coder 'agent.\n#' This could fail for a number of reasons, many of which are likely 'transient.\n#' So just keep 'trying!\nwhile' ':;' 'do\n\t#' Try a number of different download tools, as we don not know what 'we\n\t#' will have 'available.\n\tstatus=\"\"\n\tif' command -v curl '>/dev/null' '2>&1;' 'then\n\t\tcurl' -fsSL --compressed '\"${BINARY_URL}\"' -o '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telif' command -v wget '>/dev/null' '2>&1;' 'then\n\t\twget' -q '\"${BINARY_URL}\"' -O '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telif' command -v busybox '>/dev/null' '2>&1;' 'then\n\t\tbusybox' wget -q '\"${BINARY_URL}\"' -O '\"${BINARY_NAME}\"' '&&' 'break\n\t\tstatus=$?\n\telse\n\t\techo' '\"error:' no download tool found, please install curl, wget or busybox 'wget\"\n\t\texit' '127\n\tfi\n\techo' '\"error:' failed to download coder 'agent\"\n\techo' '\"' command returned: '${status}\"\n\techo' '\"Trying' again in 30 'seconds...\"\n\tsleep' '30\ndone\n\nif' '!' chmod +x '$BINARY_NAME;' 'then\n\techo' '\"Failed' to make '$BINARY_NAME' 'executable\"\n\texit' '1\nfi\n\nhaslibcap2()' '{\n\tcommand' -v setcap /dev/null '2>&1\n\tcommand' -v capsh /dev/null '2>&1\n}\nprintnetadminmissing()' '{\n\techo' '\"The' root user does not have CAP_NET_ADMIN permission. '\"' + '\\\n\t\t\"If' running in Docker, add the capability to the container for '\"' + '\\\n\t\t\"improved' network 'performance.\"\n\techo' '\"This' has security implications. See 'https://man7.org/linux/man-pages/man7/capabilities.7.html\"\n}\n\n#' Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to 'increase\n#' network buffers which improves network transfer 'speeds.\nif' '[' -n '\"${USE_CAP_NET_ADMIN:-}\"' '];' 'then\n\t#' If running as root, we do not need to do 'anything.\n\tif' '[' '\"$(id' '-u)\"' -eq 0 '];' 'then\n\t\techo' '\"Running' as root, skipping 'setcap\"\n\t\t#' Warn the user if root does not have 'CAP_NET_ADMIN.\n\t\tif' '!' capsh '--has-p=CAP_NET_ADMIN;' 'then\n\t\t\tprintnetadminmissing\n\t\tfi\n\n\t#' If not running as root, make sure we have sudo perms and the '\"setcap\"' '+\n\t#' '\"capsh\"' binaries 'exist.\n\telif' sudo -nl '&&' 'haslibcap2;' 'then\n\t\t#' Make sure the root user has 'CAP_NET_ADMIN.\n\t\tif' sudo -n capsh '--has-p=CAP_NET_ADMIN;' 'then\n\t\t\tsudo' -n setcap CAP_NET_ADMIN=+ep './$BINARY_NAME' '||' 'true\n\t\telse\n\t\t\tprintnetadminmissing\n\t\tfi\n\n\t#' If we are not running as root, cant sudo, and '\"setcap\"' does not exist, 'we\n\t#' cannot do 'anything.\n\telse\n\t\techo' '\"Unable' to setcap agent binary. To enable improved network performance, '\"' + '\\\n\t\t\t\"give' the agent passwordless sudo permissions and the '\\\"setcap\\\"' + '\\\"capsh\\\"' 'binaries.\"\n\t\techo' '\"This' has security implications. See 'https://man7.org/linux/man-pages/man7/capabilities.7.html\"\n\tfi\nfi\n\nexport' 'CODER_AGENT_AUTH=\"token\"\nexport' 'CODER_AGENT_URL=\"http://host.docker.internal:7080/\"\n\noutput=$(./${BINARY_NAME}' --version '|' head '-n1)\nif' '!' echo '\"${output}\"' '|' grep -q 'Coder;' 'then\n\techo' '>&2' '\"ERROR:' Downloaded agent binary returned unexpected version 'output\"\n\techo' '>&2' '\"${BINARY_NAME}' --version output: '\\\"${output}\\\"\"\n\texit' '2\nfi\n\nexec' './${BINARY_NAME}' 'agent\n'
bash: #!/usr/bin/env: No such file or directory

It appears that the provider is mangling quotes, likely due to a fmt.Sprintf("%q") somewhere.

root@0cb1aac9b261:/# declare -p ENVBUILDER_INIT_SCRIPT
+ declare -p ENVBUILDER_INIT_SCRIPT
declare -x ENVBUILDER_INIT_SCRIPT="#!/usr/bin/env sh\\nset -eux\\n# Sleep for a good long while before exiting.\\n# This is to allow folks to exec into a failed workspace and poke around to\\n# troubleshoot.\\nwaitonexit() {\\n\\techo \\\"=== Agent script exited with non-zero code (\$?). Sleeping 24h to preserve logs...\\\"\\n\\tsleep 86400\\n}\\ntrap waitonexit EXIT\\nBINARY_DIR=\\\"\${BINARY_DIR:-\$(mktemp -d -t coder.XXXXXX)}\\\"\\nBINARY_NAME=coder\\nBINARY_URL=http://host.docker.internal:7080/bin/coder-linux-amd64\\ncd \\\"\$BINARY_DIR\\\"\\n# Attempt to download the coder agent.\\n# This could fail for a number of reasons, many of which are likely transient.\\n# So just keep trying!\\nwhile :; do\\n\\t# Try a number of different download tools, as we don not know what we\\n\\t# will have available.\\n\\tstatus=\\\"\\\"\\n\\tif command -v curl >/dev/null 2>&1; then\\n\\t\\tcurl -fsSL --compressed \\\"\${BINARY_URL}\\\" -o \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telif command -v wget >/dev/null 2>&1; then\\n\\t\\twget -q \\\"\${BINARY_URL}\\\" -O \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telif command -v busybox >/dev/null 2>&1; then\\n\\t\\tbusybox wget -q \\\"\${BINARY_URL}\\\" -O \\\"\${BINARY_NAME}\\\" && break\\n\\t\\tstatus=\$?\\n\\telse\\n\\t\\techo \\\"error: no download tool found, please install curl, wget or busybox wget\\\"\\n\\t\\texit 127\\n\\tfi\\n\\techo \\\"error: failed to download coder agent\\\"\\n\\techo \\\"       command returned: \${status}\\\"\\n\\techo \\\"Trying again in 30 seconds...\\\"\\n\\tsleep 30\\ndone\\n\\nif ! chmod +x \$BINARY_NAME; then\\n\\techo \\\"Failed to make \$BINARY_NAME executable\\\"\\n\\texit 1\\nfi\\n\\nhaslibcap2() {\\n\\tcommand -v setcap /dev/null 2>&1\\n\\tcommand -v capsh /dev/null 2>&1\\n}\\nprintnetadminmissing() {\\n\\techo \\\"The root user does not have CAP_NET_ADMIN permission. \\\" + \\\\\\n\\t\\t\\\"If running in Docker, add the capability to the container for \\\" + \\\\\\n\\t\\t\\\"improved network performance.\\\"\\n\\techo \\\"This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html\\\"\\n}\\n\\n# Attempt to add CAP_NET_ADMIN to the agent binary. This allows us to increase\\n# network buffers which improves network transfer speeds.\\nif [ -n \\\"\${USE_CAP_NET_ADMIN:-}\\\" ]; then\\n\\t# If running as root, we do not need to do anything.\\n\\tif [ \\\"\$(id -u)\\\" -eq 0 ]; then\\n\\t\\techo \\\"Running as root, skipping setcap\\\"\\n\\t\\t# Warn the user if root does not have CAP_NET_ADMIN.\\n\\t\\tif ! capsh --has-p=CAP_NET_ADMIN; then\\n\\t\\t\\tprintnetadminmissing\\n\\t\\tfi\\n\\n\\t# If not running as root, make sure we have sudo perms and the \\\"setcap\\\" +\\n\\t# \\\"capsh\\\" binaries exist.\\n\\telif sudo -nl && haslibcap2; then\\n\\t\\t# Make sure the root user has CAP_NET_ADMIN.\\n\\t\\tif sudo -n capsh --has-p=CAP_NET_ADMIN; then\\n\\t\\t\\tsudo -n setcap CAP_NET_ADMIN=+ep ./\$BINARY_NAME || true\\n\\t\\telse\\n\\t\\t\\tprintnetadminmissing\\n\\t\\tfi\\n\\n\\t# If we are not running as root, cant sudo, and \\\"setcap\\\" does not exist, we\\n\\t# cannot do anything.\\n\\telse\\n\\t\\techo \\\"Unable to setcap agent binary. To enable improved network performance, \\\" + \\\\\\n\\t\\t\\t\\\"give the agent passwordless sudo permissions and the \\\\\\\"setcap\\\\\\\" + \\\\\\\"capsh\\\\\\\" binaries.\\\"\\n\\t\\techo \\\"This has security implications. See https://man7.org/linux/man-pages/man7/capabilities.7.html\\\"\\n\\tfi\\nfi\\n\\nexport CODER_AGENT_AUTH=\\\"token\\\"\\nexport CODER_AGENT_URL=\\\"http://host.docker.internal:7080/\\\"\\n\\noutput=\$(./\${BINARY_NAME} --version | head -n1)\\nif ! echo \\\"\${output}\\\" | grep -q Coder; then\\n\\techo >&2 \\\"ERROR: Downloaded agent binary returned unexpected version output\\\"\\n\\techo >&2 \\\"\${BINARY_NAME} --version output: \\\\\\\"\${output}\\\\\\\"\\\"\\n\\texit 2\\nfi\\n\\nexec ./\${BINARY_NAME} agent\\n"
This was referenced Aug 13, 2024
Merged
Merged
@johnstcn johnstcn self-assigned this Aug 14, 2024
@johnstcn johnstcn added the bug Something isn't working label Aug 14, 2024
@johnstcn johnstcn mentioned this issue Aug 14, 2024
Merged
johnstcn added a commit that referenced this issue Aug 14, 2024
@johnstcn
fix(internal/provider): correct escaping of strings in envbuilder_cac…
68cc59d 
…hed_image.env (#32)

Fixes #31

We had previously been doing the equivalent of value.String() when writing envbuilder_cached_image.env. This was incorrectly escaping newlines, potentially breaking ENVBUILDER_INIT_SCRIPT.

This PR modifies the behaviour to correctly handle string values via ValueString() instead.
@datapedd
Copy link

datapedd commented Sep 1, 2024
edited
Loading

@johnstcn I still get error: no download tool found, please install curl, wget or busybox wget (when I change the DockerFile and restart the workspace). What needs to be changed further?

terraform.txt

@johnstcn johnstcn mentioned this issue Sep 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnstcn johnstcn

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@johnstcn @datapedd